blackshades | b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Size

520KB
MD5

36a828650bba44e1b32b96bd0c15f427
SHA1

17c64a0eff01a4175eb0b521338edebde76cdb92
SHA256

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487
SHA512

3b2d16a3741ae17d3fae894370d6dd483e72e4ee4e9abecdeda13178c1a86504770e7ee2122b5a66eecb29cffc15665a101d46e493ad9bea4ed0abf829003608
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXQ:zW6ncoyqOp6IsTl/mXQ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral2/memory/4484-515-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-517-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-522-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-523-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-525-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-526-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-527-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-529-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-530-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-531-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-533-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-534-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4484-535-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQSWUXINSFCRRE\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 20 IoCs

pid	Process
3936	service.exe
3216	service.exe
5048	service.exe
3584	service.exe
1940	service.exe
3400	service.exe
4104	service.exe
828	service.exe
3456	service.exe
3496	service.exe
836	service.exe
3048	service.exe
2928	service.exe
5064	service.exe
4476	service.exe
4388	service.exe
4672	service.exe
3500	service.exe
4680	service.exe
4484	service.exe

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BQROXJPUGEIDLWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWRELG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVUYLBPLJXOANQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLYUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRNLPCPRMFJKTPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMMOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQNSFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOYAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVANDRMKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVHHBUBSOYPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVIMIGWULLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRQEFBBWREMGLIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAQHRNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLHITQOSNVJKDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKJPLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJJKFDKGWJQA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OTYEFDLDIXWKLHF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TRQUHLHFVTKJLGD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FBBWRFMGLITQOSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQSWUXINSFCRRE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPDPAXDVUQSEKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 4484	4680	service.exe	175

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2616	reg.exe
1940	reg.exe
2812	reg.exe
1832	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4484	service.exe
Token: SeCreateTokenPrivilege	4484	service.exe
Token: SeAssignPrimaryTokenPrivilege	4484	service.exe
Token: SeLockMemoryPrivilege	4484	service.exe
Token: SeIncreaseQuotaPrivilege	4484	service.exe
Token: SeMachineAccountPrivilege	4484	service.exe
Token: SeTcbPrivilege	4484	service.exe
Token: SeSecurityPrivilege	4484	service.exe
Token: SeTakeOwnershipPrivilege	4484	service.exe
Token: SeLoadDriverPrivilege	4484	service.exe
Token: SeSystemProfilePrivilege	4484	service.exe
Token: SeSystemtimePrivilege	4484	service.exe
Token: SeProfSingleProcessPrivilege	4484	service.exe
Token: SeIncBasePriorityPrivilege	4484	service.exe
Token: SeCreatePagefilePrivilege	4484	service.exe
Token: SeCreatePermanentPrivilege	4484	service.exe
Token: SeBackupPrivilege	4484	service.exe
Token: SeRestorePrivilege	4484	service.exe
Token: SeShutdownPrivilege	4484	service.exe
Token: SeDebugPrivilege	4484	service.exe
Token: SeAuditPrivilege	4484	service.exe
Token: SeSystemEnvironmentPrivilege	4484	service.exe
Token: SeChangeNotifyPrivilege	4484	service.exe
Token: SeRemoteShutdownPrivilege	4484	service.exe
Token: SeUndockPrivilege	4484	service.exe
Token: SeSyncAgentPrivilege	4484	service.exe
Token: SeEnableDelegationPrivilege	4484	service.exe
Token: SeManageVolumePrivilege	4484	service.exe
Token: SeImpersonatePrivilege	4484	service.exe
Token: SeCreateGlobalPrivilege	4484	service.exe
Token: 31	4484	service.exe
Token: 32	4484	service.exe
Token: 33	4484	service.exe
Token: 34	4484	service.exe
Token: 35	4484	service.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
3936	service.exe
3216	service.exe
5048	service.exe
3584	service.exe
1940	service.exe
3400	service.exe
4104	service.exe
828	service.exe
3456	service.exe
3496	service.exe
836	service.exe
3048	service.exe
2928	service.exe
5064	service.exe
4476	service.exe
4388	service.exe
4672	service.exe
3500	service.exe
4680	service.exe
4484	service.exe
4484	service.exe
4484	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 948	208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	87
PID 208 wrote to memory of 948	208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	87
PID 208 wrote to memory of 948	208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	87
PID 948 wrote to memory of 1848	948	cmd.exe	89
PID 948 wrote to memory of 1848	948	cmd.exe	89
PID 948 wrote to memory of 1848	948	cmd.exe	89
PID 208 wrote to memory of 3936	208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	90
PID 208 wrote to memory of 3936	208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	90
PID 208 wrote to memory of 3936	208	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	90
PID 3936 wrote to memory of 3100	3936	service.exe	93
PID 3936 wrote to memory of 3100	3936	service.exe	93
PID 3936 wrote to memory of 3100	3936	service.exe	93
PID 3100 wrote to memory of 2688	3100	cmd.exe	95
PID 3100 wrote to memory of 2688	3100	cmd.exe	95
PID 3100 wrote to memory of 2688	3100	cmd.exe	95
PID 3936 wrote to memory of 3216	3936	service.exe	98
PID 3936 wrote to memory of 3216	3936	service.exe	98
PID 3936 wrote to memory of 3216	3936	service.exe	98
PID 3216 wrote to memory of 3852	3216	service.exe	99
PID 3216 wrote to memory of 3852	3216	service.exe	99
PID 3216 wrote to memory of 3852	3216	service.exe	99
PID 3852 wrote to memory of 2232	3852	cmd.exe	101
PID 3852 wrote to memory of 2232	3852	cmd.exe	101
PID 3852 wrote to memory of 2232	3852	cmd.exe	101
PID 3216 wrote to memory of 5048	3216	service.exe	102
PID 3216 wrote to memory of 5048	3216	service.exe	102
PID 3216 wrote to memory of 5048	3216	service.exe	102
PID 5048 wrote to memory of 2544	5048	service.exe	103
PID 5048 wrote to memory of 2544	5048	service.exe	103
PID 5048 wrote to memory of 2544	5048	service.exe	103
PID 2544 wrote to memory of 1204	2544	cmd.exe	105
PID 2544 wrote to memory of 1204	2544	cmd.exe	105
PID 2544 wrote to memory of 1204	2544	cmd.exe	105
PID 5048 wrote to memory of 3584	5048	service.exe	107
PID 5048 wrote to memory of 3584	5048	service.exe	107
PID 5048 wrote to memory of 3584	5048	service.exe	107
PID 3584 wrote to memory of 448	3584	service.exe	108
PID 3584 wrote to memory of 448	3584	service.exe	108
PID 3584 wrote to memory of 448	3584	service.exe	108
PID 448 wrote to memory of 1700	448	cmd.exe	110
PID 448 wrote to memory of 1700	448	cmd.exe	110
PID 448 wrote to memory of 1700	448	cmd.exe	110
PID 3584 wrote to memory of 1940	3584	service.exe	111
PID 3584 wrote to memory of 1940	3584	service.exe	111
PID 3584 wrote to memory of 1940	3584	service.exe	111
PID 1940 wrote to memory of 1528	1940	service.exe	114
PID 1940 wrote to memory of 1528	1940	service.exe	114
PID 1940 wrote to memory of 1528	1940	service.exe	114
PID 1528 wrote to memory of 3028	1528	cmd.exe	116
PID 1528 wrote to memory of 3028	1528	cmd.exe	116
PID 1528 wrote to memory of 3028	1528	cmd.exe	116
PID 1940 wrote to memory of 3400	1940	service.exe	117
PID 1940 wrote to memory of 3400	1940	service.exe	117
PID 1940 wrote to memory of 3400	1940	service.exe	117
PID 3400 wrote to memory of 1108	3400	service.exe	118
PID 3400 wrote to memory of 1108	3400	service.exe	118
PID 3400 wrote to memory of 1108	3400	service.exe	118
PID 1108 wrote to memory of 4348	1108	cmd.exe	120
PID 1108 wrote to memory of 4348	1108	cmd.exe	120
PID 1108 wrote to memory of 4348	1108	cmd.exe	120
PID 3400 wrote to memory of 4104	3400	service.exe	121
PID 3400 wrote to memory of 4104	3400	service.exe	121
PID 3400 wrote to memory of 4104	3400	service.exe	121
PID 4104 wrote to memory of 4948	4104	service.exe	122

C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
"C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRQEFBBWREMGLIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1848
- C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCWVK.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OSPDPAXDVUQSEKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2688
- - C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
      "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXTRAA.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQROXJPUGEIDLWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMMOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEHIRN.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLBPLJXOANQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSFC.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQNSFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRXDE.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRMKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVHHBUBSOYPK\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\WQIOVHHBUBSOYPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQIOVHHBUBSOYPK\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLHITQOSNVJKDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOWF\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOWF\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVN.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFOK.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVIMIGWULLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYAT.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWOIB.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRNLPCPRMFJKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHXKSB.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTYEFDLDIXWKLHF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENJXW.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TRQUHLHFVTKJLGD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVJKKT.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBBWRFMGLITQOSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        23⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe:*:Enabled:Windows Messanger" /f
        23⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        23⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        23⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBEFOK.txt

Filesize
163B

MD5
fe0cd675e27063dfe4c8dff3ea68c455

SHA1
e46a35fa22461c1816d23561cf5e0faaa8dabaf6

SHA256
27ffeb64d8931b2d762bca7ae855666afbeda91b97c06c11768327eb39db6a91

SHA512
e294e2ce842ec8f577b1048b629a6d1dc6c6bb175f76541e6697207a92711be66f5c98dcb800a6295646a6e07f91653f6b872fc9ffad28a7ac7de124f6c02bbc

Download Submit
C:\Users\Admin\AppData\Local\TempEHIRN.txt

Filesize
163B

MD5
b4316b431afff4c501a2f415689cc9c7

SHA1
ba5bb8a12985cf2d836d2a185f66b87bfcd44baf

SHA256
ae1d8e6717b001e9e920672cd5bda28ed73bba5c83fc73f1e3c0b37133c6ea4c

SHA512
fd5d03b1c7fa33ed0a45be777e4fb67186d48be5c324be373f8f9916182041a613de1ef5f8ef6dbd0ae83ae8ea9060229a3f85734937484433022d0f06d73254

Download Submit
C:\Users\Admin\AppData\Local\TempENJXW.txt

Filesize
163B

MD5
cbbf1902e66d7a34c5d522ed7fdb5daa

SHA1
9880d5fd3133ee71f3a62fd2d98e8f6dd359660f

SHA256
bfc2f7a0a5ac63aa44bb35019d32d50ea8cc4aacc69530ecd2c176c980d3c368

SHA512
c18f28b6dba7f1dff2ec9caed0653fee49b7541d43edbbcbf8661fcdbb133e8e63f2d956594c2209c277c2c1f4856a6a3e1090100d2a5200d72c95072964c5dc

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.txt

Filesize
163B

MD5
7321dc83efd654ee2b765694c059ae1a

SHA1
c49b071bb2dd8c44934df9826539b31a7deec795

SHA256
66adcee4dba8cc420d595fbb1f2236c78cb105b8fc0a5f0bdb34ca438465151c

SHA512
2268932fef898fd95eec7089ee6c1d56a352b8e6a8a5f972f2faf21e6fa0998cede6371c6b2b1fb3345d833537b66106f621bf567cb55380a5996ba4bbb4d9d7

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.txt

Filesize
163B

MD5
34331fcf61aa5622b12b712a86f369f9

SHA1
0bed5e396dc438a4addea5fa2b0d75260701e166

SHA256
dd529304e84102b2a72afc887ce69729dfd80497dbde084b8bfb0891fa1ca45a

SHA512
9ef48d7fd0c326c0ef6c2937d86400f9b7fe5b910211c0cf7091876193113388b567e641a5b6defc2f6110e7b920497da00acba92525a591789122fc9d901c52

Download Submit
C:\Users\Admin\AppData\Local\TempHXKSB.txt

Filesize
163B

MD5
fc508a05701603b137239b0aae4c0584

SHA1
ae826da4c2a54b45ffcce74eecd71f8c35ba2a34

SHA256
04d3ed27b21c1ee3dddaf516333922800f84e56b40c550e849a8cbcfbc47e866

SHA512
07b885298039c73e32739a442081ab1151324c1f34bbcbcfcc63ac30b71e0d059016c2b884b57e31431f16e8d942f31123a1d970e3e2d62474da2a663a269d87

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVN.txt

Filesize
163B

MD5
be4fe0f139da23ce7e36df809b24f80a

SHA1
b42e9910deaf935e97ce5839ad64ca1ed970b4c8

SHA256
f2451be1408457a30569a48630405f1313a761c810ac697b31c820887adf41c1

SHA512
0a456184139eb64e9085c95f3a9859415bac94ac4397391b18cf024ba6999c76d17a380c42d83a21496287388226b0fa661a25ec0340551c099dbd6d1455ee98

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.txt

Filesize
163B

MD5
30385abf0f63662b6e75898d9a4b335c

SHA1
97309933f28fa00ec0fa503fdf10c45d91ac295e

SHA256
2ebe087623811b666cc6a8b0d76cd5d7b3f205d3db7955fa2248f810fbd3ee8b

SHA512
d44b38a958ab24af632ef3668d2c12529c3850b2abe0f36665e177506dd3fa6e38ed7549960af221807bcae7a08c87ed9857543088f7492eeda443e0a81ad527

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
744a5026709d2e515773358787335ddd

SHA1
30e8cd8484237258baf44dbe7519134890471634

SHA256
275ff9d4af6a5aa1439bb2288cb5bb576546130da74f614bd575738da1bb21e9

SHA512
7f2de32cf6b2874543a0c05b18c146bbcc804509cbd040f66d6facd63d56f0a765cbc9e14e513cff32fd8cc7d475c8532e11fa135fa94f76c233b369eb54d33a

Download Submit
C:\Users\Admin\AppData\Local\TempNWSFC.txt

Filesize
163B

MD5
423107d263c7541ce29d04a6bed9a596

SHA1
d7ea742b66b06162d7b26450a75058df025760b0

SHA256
b4eac9e1742272be68c3d8d47667d6a9527a4281818bfa138c851339cec6dfeb

SHA512
64359c79a61d64bff6876132749fce9d5e7081f8bc1d11d60246bf5e75fcde6321a222edd90347b079d47229c7451f0cc2219c53862d3744b5034d86cda41f70

Download Submit
C:\Users\Admin\AppData\Local\TempOPYAT.txt

Filesize
163B

MD5
4bcca904a941f8d8e580f005b741c70e

SHA1
af3a26eb0bb66219315e4cd7c1d4b8f8a4530258

SHA256
758ddbcc0c4b04ab8f8746bd0379badf35f28728ed12489572bf6e6a19ced52d

SHA512
85df4081ec72ef5ab53c29f84c4a80d53ab65514ed8fa3c74ac7eb02eb17b16042e7f10ebde6f809c57c7c74c039a6067800e68fed11543b7d8a295b5d52de09

Download Submit
C:\Users\Admin\AppData\Local\TempOWOIB.txt

Filesize
163B

MD5
37d7864287b7bc3e0b11f0a172d48910

SHA1
f952a765f70172e7d15295e4a38605b7cbe87863

SHA256
f80999a3b6dbf94e0e89e6800b182deb113cf7ec1dd3f28a8a10192b7ab331fd

SHA512
8e9809b73b9378acb93d0007377bafb29f3acc94efae8d4267a2bfa03564f2f2f6cbed7b56146a68b64736509e187fac96e1a83e85f5f049914c9fc45b3d356b

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
c872ef42f00e73a0319a155ea74d0e15

SHA1
7410c08d0e874446ecc7eff67abe22578e496d92

SHA256
356cb8a3f03f52001f593dab167201e1a906ff4a524164aff93eef9501a28f3f

SHA512
7646ff930bb06bcac5b5ba579e465a8b4f02809ec81df59655a17c03c30e81ad3c57be8573efa8cd45a3b005816775b5d78470e337ae6d5a953cdf263a4c4bbb

Download Submit
C:\Users\Admin\AppData\Local\TempQOSNV.txt

Filesize
163B

MD5
c696fd641b83137bcafecb5933e31777

SHA1
4f848efc4328b6e77cb3ae0b96a2ae49f345db8e

SHA256
f4b5a950ce21d3df4bb02d3d97b3ca1a697681ec3fd1a2954b1fc68cb8911471

SHA512
5df9c5e478630ade13917b243ff552d8934d1ddd984f67396229d02bada4cc66ab36f5fbb64e1b398db2eb5708293c63f2f12762c522f470305297cc8731bfe2

Download Submit
C:\Users\Admin\AppData\Local\TempQRXDE.txt

Filesize
163B

MD5
a0d92f15c35efe799fcd8f9d69604dd1

SHA1
4975b6b8b2afb835fc9ecb72620dd45355acc76d

SHA256
f28ef8312505d6820a1634969e4d4bfb6bd465f19eeb1c6f3124b066eb10e88d

SHA512
6f01e8769241fe821afe99e88079b4dfcb9ff89a565cc0c78663718846cede9c02a9d479ca67103babaedee235114f9b205e03f124711211bf838da04bd67731

Download Submit
C:\Users\Admin\AppData\Local\TempRCWVK.txt

Filesize
163B

MD5
4809ec2f12ada5a5013073e4e2d9bc0d

SHA1
4f16adbf858b3e47216e41545410d1183b8b5809

SHA256
14dca8875a37845d0d6eb878abdf2f8e742008540cd4705300db788d66a45953

SHA512
3e6a5b3a428f3252b0e82f3d82a0928b286b7b421e06f92138efaa50a47d9fd522837affa3fcd3b98b4b09aa0dfe3bdd4f1c4d21f9ac9bd498f15923f6891bd2

Download Submit
C:\Users\Admin\AppData\Local\TempTOXOD.txt

Filesize
163B

MD5
8c03a8d780e20fb37ab5a57ebd6789cc

SHA1
fd5400f32513530c6631bd6b5897666e73c9c789

SHA256
0c5d381a5daade76fc0376533283b55119cfdd11444da29bd642a0c727fbfb37

SHA512
6826317bf2638dc7cccff24cb3520406548f9fb46595d628860e4672c0119aa7b928916a420daaed6806a8a62fededbc80ef813f86e4bf1b0049a2201f63e1cc

Download Submit
C:\Users\Admin\AppData\Local\TempVJKKT.txt

Filesize
163B

MD5
1ee69e517e217d2557cfb755526dd742

SHA1
b3253efdcb74f79626dcfab56705789fc00a157f

SHA256
d33fd9cc910673751434d6f250319b8e8df880132d0132dd026ae64343786642

SHA512
956021d608e1d377da6b6b719d706ad4c77562fda2b3735ed7c593d8110c979c8e36b35fcf04c676bfa150871effe9c0d4a84674dd2ae043baa168c72323a9e0

Download Submit
C:\Users\Admin\AppData\Local\TempXTRAA.txt

Filesize
163B

MD5
0de94a93a61d5ef525d8b3e4df85f051

SHA1
ee2e56db31e3dd002bfc6e81ffbcf9c732d46648

SHA256
b514ead2bc3768c5235493fb5f9f07b2252117e4f4e61ee7d6a21d873d2ab014

SHA512
c8fee93cb93ef4752f21949a6e1ced9ae261c0e35175cfbde03e31bf5fcb121b91df7c8df5c57b6a01bfe799fbc4692080bd93095c9baaaef4d0364039b634a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe

Filesize
520KB

MD5
cbffbf0a03ba831e951c3733462f5660

SHA1
3113061f739d07035f0001e1149b50923cdbe559

SHA256
0dffbe520573d496d3ea33980797f5a27c2fb2cce0e977e75b025da6b312c7a6

SHA512
57d528f41012d647557e5e63531a3c5be21837244096366c2fd964c0a28affb1f7bf1584635b399b6db5c8aae9e3c4b7c9ce1d3126ee9af9db03d8b7c1a7afcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe

Filesize
520KB

MD5
435fca567760a65d0f74a53c2dcd9450

SHA1
29c4055c558f636f0144f359501ee7a72ece9270

SHA256
55e4644e58b26188d1627b62eedbb67546cec62486c3a7acfed4711333ab43fe

SHA512
39174c1eb37b0331d0b82da15e4d8a4a6ed46bf1a36477c105b21182809b7660b9b6f0c85e7df6b4a1d5f4e8779da13fcb63e8202c4562dc0c4b989d60455316

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.txt

Filesize
520KB

MD5
9716c374547f57fb1b4d9c114aff8a80

SHA1
53d05e1b31dd5473bd577737d5999d24a9670a1a

SHA256
9d4335acdbdb8fc97e85e8ea414651da649a006962d6f48d129fbcf67a1db2b0

SHA512
ffe6778127777748fd80e9b1b11cc2a3c2bb6bb884684054129b89389f1ba0d4598134af75eafd3247df4f1d071d48831b1664025f50f653b213ea2beb71e3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe

Filesize
520KB

MD5
97b8b2c2df422426951328ede462824b

SHA1
3ae3cbcb775342bec9473c7bed6a8a38e1c9fb8a

SHA256
37c2d7ce50f1f09e22f3c5631142c7b4076b0f6adbdb3e2c9b553a23134956c2

SHA512
a0568640c2a374cd7c4fbeb93e299eb5b924a2c7cf54db39744fe6e71e7c70a8238dc86978d6f2510879642f2d163a68717d402e24bd635324967ae375a88799

Download Submit
C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

Filesize
520KB

MD5
23c1d5f4a5507b3da8954f92cde858f5

SHA1
8be35c89c02a0f0c1969e2421d3f63b1eb8f8282

SHA256
90ad1a057cfb0a3760316506e2d3d32c704cf7a04cf465ac1328d12373ca2a25

SHA512
117a19985425ed4af5320ee3f4615f43ed0245e66d28143261e51f424a49a5a5486ca7a842015d4c28065579e24eea4ba722c2a30a111a66e36fef421413b5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

Filesize
520KB

MD5
9e99e2cb233d71f1db92f31e5adf0519

SHA1
f222977f28ea9c630f8d86004a7a33e3af877964

SHA256
51551ce828a805316adcdf712f31839408ae7563ddb594b8d5f2d907551e0d74

SHA512
34000366a92d17af84d803f3d4548d2e510fb89cc83610a666461ee653207370352d1ec694ed87a53f733c324e854d26c10c384839356dc453883105f4b36716

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe

Filesize
520KB

MD5
c8786e151cc5bc53ac017a21a248bb4c

SHA1
7c129a535000096f2d89bd6578169d248d5d09a8

SHA256
a13e7e09a7918cd4c7a8163457b2ba8ec909234fc3a82a18d426bd6a31ebb13b

SHA512
f08480425d1335f8c4ec6d51092dc62d65e6d11d6a86ef79d83d206b2e426b087c10f4d0c4703f8b3f41e969fa2c837f9a644af0addcdbc11965812dc367fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

Filesize
520KB

MD5
16f865d3f5b85a4b7667fbeaef1d9ce2

SHA1
b0591f59bd39eb3a9dd6c9378bcad2f8f554def7

SHA256
d8613360cdfff18d40acb29771135f96a51a68176b94649dd8c299200565387b

SHA512
bf202c4bc3ef0fda3b741f37b5f3afa38ea8b72043c33da6c829ae7dad65f47492493f1e78c4dec7256dab0f8b7524e1f701e8fcf932809f10bf6672fd6007e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe

Filesize
520KB

MD5
99910103138e80fee8dfa0d3ad2e202a

SHA1
7734b5531f2fc4a253bc0944869dcc323b7287c2

SHA256
88be3e67cb32bbfeeebed9928dce233a1565682314170264c3604e65838154cd

SHA512
d85584e32c19c34455691b8666b87750ea799ff9308ffeb424b46bc947904326bbdbb9af7c027ba82547400a87d150c1111bfc569d5e67786eba25e7b7fc3d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

Filesize
520KB

MD5
b27ea84f74224db9dca7f426e2aeac91

SHA1
a57c9a1816893f8884c91996dd4637ce0a7d8ee7

SHA256
ecff8706e7e4ecd8cedc60e43d4ebafd2c06bafa3993a59e676700606c13252a

SHA512
9cfb7146f29fcff1bf015688937e689ff2d32c15c169287723997a2daeae61a7199cd41ec8770a0eb15eb2a14c49f84edbef340a026724cc81b133e9e2ecd89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOWF\service.exe

Filesize
520KB

MD5
13bfb1433625aa4a3e81d8867b6eecc4

SHA1
b102d5825d4f0b0018afaccb047e1e61925cbadf

SHA256
da60115c6ef9006d269f707e7fe833c017f934616a6e372f9f6673a73ac8079e

SHA512
a7a2588815b61e7479882c4eee9be3808724b600890b8be19f9a2003c976b0f081444b21ab2e4b159541af99ffb6d58253c1864010761031271d92a3b35d1016

Download Submit
C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe

Filesize
520KB

MD5
963929131284e288865a3fbc14c4a319

SHA1
526f3fea4e9db91ff150016bd1d8bfd86112d72a

SHA256
117e71ac3a4fd5a4af930a72037123d6b235d8408af21d9448521509b2e8489f

SHA512
ae97038ba91e4f11a181cb0ac53d8137d57a9c131a45ed5ae18fa03bd80cbde170f12f810e68c7b9f9192b9e9bca0c1773af956f27da43ba283ec6885938e837

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe

Filesize
520KB

MD5
49c1e06429ec6b7332834888e69f3fd6

SHA1
fb3bb3564f4ffee7cae85b54a1bb38db8a87a0b8

SHA256
da5d9e886efae364b0fc04489b6647040863b715aee75c6a18a96517fca2bd36

SHA512
26e80bfc242b5b1f29d6e51c3b70065b27aaa3e7a600f508b78c062d02343bbfe741857d5a6566d621a984ee8f6a2a802e2f845626b1b45938b22fd43084fdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIOVHHBUBSOYPK\service.exe

Filesize
520KB

MD5
503db4a2adc3368486dd546217d9ec25

SHA1
061791da1eb5c9d8eab6bf27add2025831428a28

SHA256
ab778b1002da8196d5d0a2645564ff0949bed5009bf56b1e8ebba20338df2b85

SHA512
f1738bd6ea29f5644b1285d9f6fd6c7d00398407d98901be7c22f6f49822e9f5ae8fc5c64e5a40f50bd03f0a18fd794c34881f3d86b8884d6c2dad52fff439c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe

Filesize
520KB

MD5
0ef84d611dd696a1935e1c8bb9f6f2ac

SHA1
1bccc971fb9009b7366b8d6d3c9852a60f78df0e

SHA256
b0654d0923f63a25d02c83d460d710f61f3fa469e6db03780fb2cc32f9b86592

SHA512
e1dfc9ca6b4aac7e7197c8e0006a0dfe3c3a8fae990a22442a79c8bc8d963579b84491f6144f55cc71928fad425ecb5a9f73c1dca2385c73f1b420b20e9fa3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

Filesize
520KB

MD5
6b41234eba4fe7adeaed8487ba9d27ff

SHA1
c5a4c44793c6280c4b8de27dfeaac87e0a022d7b

SHA256
2b11df49f9c416caabe18b2b47d786b4a4b6a26ef8dacad4036540e51ca0cb8f

SHA512
d9e5064a4494e0355f498d671c770d2d4edeeccdf53e9c93eac20d06bdcec031bb46a938270a29c4535e3fff816cdc3a7f43446dad2f6cbe52e8aad7b4f7dc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe

Filesize
520KB

MD5
4fd01d931348e6664b35855756a46d94

SHA1
1e075d50ffabb5ca44c534363f1ed7d625f8f850

SHA256
6832e0c394ba704cadaa0ba3fd64a4cfa70ddee54954179eebe6899b5b0d4b11

SHA512
5ad739922e5e35d7fb25492de645a585fb177d4a6e756bd39922ab1b239d3f6c45b55386e7bccaee76e5846e4f4bc227ff4ef9156c476535c544c9b073a78450

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

Filesize
520KB

MD5
cc916e72fe1488bfb0985d292471939d

SHA1
2d141b3a17a0a96f91ec7987c41bfaefbb1bc603

SHA256
d5e206e7ea49d2738eaba75c0194f13f765f0aa85f5e581766d82194f964e2b7

SHA512
df56fa0f7ba50684c84bda4cb25ac50694e08a011aee89d3ada9a8f88145d050d36c32a43e09d79d36baa8eaa2dcb7414efb4408c622fa984862ee6566d024fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

Filesize
520KB

MD5
390e567daf161b389af0e11be4215785

SHA1
9380321f1b5196171f485ec69c255c95b1689159

SHA256
f0d3798b9c8acf41c0023e1b1a1d92c535ba3c6350264043180b2944e35c12c8

SHA512
72dc594972865c035b20335d019c0bd062567febefb845af37c290ef2760668db2cce542f9d04fd0200335f910b0f8b07cf42407e4a8fb10df993063a9fbf3fc

Download Submit
memory/4484-515-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-517-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-522-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-523-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-525-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-526-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-527-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-529-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-530-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-531-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-533-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-534-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-535-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads